RE: extend validity of existing certificates
On my little system I've three types of self created certificates that will all expire this year (I didnt pay much attention to expiration when first creating them). I'm now looking for a way how to extend this validity without recreating the certificates and therefore breaking existing trust-relation. There is no way to extend certificate validity (other than chaning your computer clock - not recommended) but you can issue a new certificate with the same keypair used originaly (standard procedure for renewal) but because you maintain the keys you are not breaking any trust relations i) my CA. I have the key-file and the crt-file. If I need to recreate this I need to recreate and resign all certificates of type ii) also and I'll need to redistribute the new CA to all clients that have this cert installed. only the cert file needs recreation and yes, all the clients will have to have the new cert (watch out to use the same subject as well, i.e. create a new, identical certificate that only differs in the validity and serial number) ii) the certificates signed by the above CA. This are mostly certificates for virtual hosts with my apache. I've the key-file and the crt-file and even the csr-file. none of these need to be recreated because of the new CA certificate, however if these certs expire themselves then you also need to renew them. Same as before, only the certs need renewal - key pairs can be maintained iii) selfsigned certificates I use for securing mailtransfer. I have the pem-file in this case. same as above, create a new cert but maintain the key. But actually you can simply reuse you expired cert as they are self-signed, you (and nobody else) trusts your certs. All the trust is directly in your public-private key pair. I hope that I can extend the validity with openssl without recreating. nope, that's what makes certificates safe. Markus thnx, peter -- mag. peter pilsl IT-Consulting tel: +43-699-1-3574035 fax: +43-699-4-3574035 [EMAIL PROTECTED] http://www.goldfisch.at __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: extend validity of existing certificates
It is not true, because it is possible to extend the validity of a certificate, even with openssl. You have to create a new certification request, with an extended period of time. Rossi - Original Message - From: Markus Lorch [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, February 17, 2003 3:10 PM Subject: RE: extend validity of existing certificates On my little system I've three types of self created certificates that will all expire this year (I didnt pay much attention to expiration when first creating them). I'm now looking for a way how to extend this validity without recreating the certificates and therefore breaking existing trust-relation. There is no way to extend certificate validity (other than chaning your computer clock - not recommended) but you can issue a new certificate with the same keypair used originaly (standard procedure for renewal) but because you maintain the keys you are not breaking any trust relations i) my CA. I have the key-file and the crt-file. If I need to recreate this I need to recreate and resign all certificates of type ii) also and I'll need to redistribute the new CA to all clients that have this cert installed. only the cert file needs recreation and yes, all the clients will have to have the new cert (watch out to use the same subject as well, i.e. create a new, identical certificate that only differs in the validity and serial number) ii) the certificates signed by the above CA. This are mostly certificates for virtual hosts with my apache. I've the key-file and the crt-file and even the csr-file. none of these need to be recreated because of the new CA certificate, however if these certs expire themselves then you also need to renew them. Same as before, only the certs need renewal - key pairs can be maintained iii) selfsigned certificates I use for securing mailtransfer. I have the pem-file in this case. same as above, create a new cert but maintain the key. But actually you can simply reuse you expired cert as they are self-signed, you (and nobody else) trusts your certs. All the trust is directly in your public-private key pair. I hope that I can extend the validity with openssl without recreating. nope, that's what makes certificates safe. Markus thnx, peter -- mag. peter pilsl IT-Consulting tel: +43-699-1-3574035 fax: +43-699-4-3574035 [EMAIL PROTECTED] http://www.goldfisch.at __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: extend validity of existing certificates
It is not true, because it is possible to extend the validity of a certificate, even with openssl. I'd be really curious how you accomplish this, other than the solution below ... which creates a new cert request which becomes a new cert after the cert request has been signed I.e. a PKC is a signed construct, if you change anything within the construct (i.e. the validity) you have to create a new signature and thus have a new certificate that is != to the old one. The only thing you can (and want to) keep is the key pair. You have to create a new certification request, with an extended period of time. Rossi - Original Message - From: Markus Lorch [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, February 17, 2003 3:10 PM Subject: RE: extend validity of existing certificates On my little system I've three types of self created certificates that will all expire this year (I didnt pay much attention to expiration when first creating them). I'm now looking for a way how to extend this validity without recreating the certificates and therefore breaking existing trust-relation. There is no way to extend certificate validity (other than chaning your computer clock - not recommended) but you can issue a new certificate with the same keypair used originaly (standard procedure for renewal) but because you maintain the keys you are not breaking any trust relations i) my CA. I have the key-file and the crt-file. If I need to recreate this I need to recreate and resign all certificates of type ii) also and I'll need to redistribute the new CA to all clients that have this cert installed. only the cert file needs recreation and yes, all the clients will have to have the new cert (watch out to use the same subject as well, i.e. create a new, identical certificate that only differs in the validity and serial number) ii) the certificates signed by the above CA. This are mostly certificates for virtual hosts with my apache. I've the key-file and the crt-file and even the csr-file. none of these need to be recreated because of the new CA certificate, however if these certs expire themselves then you also need to renew them. Same as before, only the certs need renewal - key pairs can be maintained iii) selfsigned certificates I use for securing mailtransfer. I have the pem-file in this case. same as above, create a new cert but maintain the key. But actually you can simply reuse you expired cert as they are self-signed, you (and nobody else) trusts your certs. All the trust is directly in your public-private key pair. I hope that I can extend the validity with openssl without recreating. nope, that's what makes certificates safe. Markus thnx, peter -- mag. peter pilsl IT-Consulting tel: +43-699-1-3574035 fax: +43-699-4-3574035 [EMAIL PROTECTED] http://www.goldfisch.at __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: extend validity of existing certificates
Thnx a lot for your detailed answer. I already started following your recommandations and created a new CA.crt based on the given old ca.key and also created a new CSR (also based on its old key) and signed it with the new CA to get a new CRT. The new CRT is perfectly accepted by all clients (webbrowsers) even if they have the old CA.CRT installed. So I've time to distribute the new CA.CRT until the old CA.CRT expires. I tested this scenario by chaning clock of some clients. IE5.5 will then claim, that the certificate itself has expired .. thnx again, peter On Mon, Feb 17, 2003 at 09:10:39AM -0500, Markus Lorch wrote: On my little system I've three types of self created certificates that will all expire this year (I didnt pay much attention to expiration when first creating them). I'm now looking for a way how to extend this validity without recreating the certificates and therefore breaking existing trust-relation. There is no way to extend certificate validity (other than chaning your computer clock - not recommended) but you can issue a new certificate with the same keypair used originaly (standard procedure for renewal) but because you maintain the keys you are not breaking any trust relations i) my CA. I have the key-file and the crt-file. If I need to recreate this I need to recreate and resign all certificates of type ii) also and I'll need to redistribute the new CA to all clients that have this cert installed. only the cert file needs recreation and yes, all the clients will have to have the new cert (watch out to use the same subject as well, i.e. create a new, identical certificate that only differs in the validity and serial number) ii) the certificates signed by the above CA. This are mostly certificates for virtual hosts with my apache. I've the key-file and the crt-file and even the csr-file. none of these need to be recreated because of the new CA certificate, however if these certs expire themselves then you also need to renew them. Same as before, only the certs need renewal - key pairs can be maintained iii) selfsigned certificates I use for securing mailtransfer. I have the pem-file in this case. same as above, create a new cert but maintain the key. But actually you can simply reuse you expired cert as they are self-signed, you (and nobody else) trusts your certs. All the trust is directly in your public-private key pair. I hope that I can extend the validity with openssl without recreating. nope, that's what makes certificates safe. Markus thnx, peter -- mag. peter pilsl IT-Consulting tel: +43-699-1-3574035 fax: +43-699-4-3574035 [EMAIL PROTECTED] http://www.goldfisch.at __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- mag. peter pilsl IT-Consulting tel: +43-699-1-3574035 fax: +43-699-4-3574035 [EMAIL PROTECTED] http://www.goldfisch.at __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: r.e. OpenSSL and MacOS (pre-OS X)
Hi Rodney, Rodney Thayer wrote: I'm trying to build OpenSSL 0.9.7 on OS X 10.2.3 with CodeWarrior. I tried using the 'mcp' files in the MacOS directory, but they don't work. Specifically, they can't find /usr/include/sys/types.h. Short of being grumpy the compiler's too clueless to find fundamentals like /usr/include, anyone have any ideas? Does anyone build on OS X? With CodeWarrior, not GNU? I've built it with GNU on OS X. The only problem I ran into was the problem stated in the file PROBLEMS, where OS X already has an older version of the OpenSSL libraries. Regards, Aram __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: r.e. OpenSSL and MacOS (pre-OS X)
At 07:15 AM 2/17/2003 -0800, Aram wrote: I've built it with GNU on OS X. The only problem I ran into was the problem stated in the file PROBLEMS, where OS X already has an older version of the OpenSSL libraries. I've done that too. There is, by the way, a serious problem with that workaround. If you delete the openssl libraries from /usr/lib, your system will never boot again. Many things (including, apparently, fsck or something at startup) simply silently fail to work. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
redirecting input to s_client
Hi Is there a way to redirect the GET/POST request from a file to the openssl s_client app? something like: cat get.txt | openssl s_client -connect server:443 -cert crtfile -key keyfile The result of the above is that the program exists with DONE printed to the console. I have tried the -pause switch with the above but with no luck. Thanx in advance for any help. Himanshu Soni __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: r.e. OpenSSL and MacOS (pre-OS X)
Hi Rodney, Yes, that happened to me. I didn't delete the files, just moved them to another directory, but then I couldn't boot. I had to boot into single user mode, copy the files back and then I was able to reboot fine. Regards, Aram Rodney Thayer wrote: At 07:15 AM 2/17/2003 -0800, Aram wrote: I've built it with GNU on OS X. The only problem I ran into was the problem stated in the file PROBLEMS, where OS X already has an older version of the OpenSSL libraries. I've done that too. There is, by the way, a serious problem with that workaround. If you delete the openssl libraries from /usr/lib, your system will never boot again. Many things (including, apparently, fsck or something at startup) simply silently fail to work. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: OpenSSL 0.9.6/0.9.7 library version conflicts
TL == Terry Lambert [EMAIL PROTECTED] writes: TL not being overridden, even when the library path is. This is TL most likely due to a bug in the GNU configure script. The best TL way around those bugs is do not use GNU configure. FYI, FreeBSD is not the only OS on which this problem has been found to exist. Debian Linux is experience the same problem. See a post to debian-devel-announce attached below. TL FWIW: this confirms that it's a Postfix problem. Postfix does not use GNU configure. I'm not sure how to fix it, but will gladly accept patches that work both with and without the openssl port. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: OpenSSL 0.9.6/0.9.7 library version conflicts
Vivek Khera wrote: TL == Terry Lambert [EMAIL PROTECTED] writes: TL not being overridden, even when the library path is. This is TL most likely due to a bug in the GNU configure script. The best TL way around those bugs is do not use GNU configure. FYI, FreeBSD is not the only OS on which this problem has been found to exist. Debian Linux is experience the same problem. See a post to debian-devel-announce attached below. TL FWIW: this confirms that it's a Postfix problem. Postfix does not use GNU configure. I'm not sure how to fix it, but will gladly accept patches that work both with and without the openssl port. Then whatever it uses instead to determine platform dependencies isn't working. The issue is that there should be a way to specify use of a preferred -I for include files during compilation, and a preferred -L for library files, during linking, and that one or both of these is missing. -- Terry __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Making Private CA
Hello, I am making my own private CA, using the CA.pl scripts provided under the apps directory of OpenSSL release. I run ./CA.pl -newca It asks for filename, and I enter without giving any. I am prompted for PEM pass phase. I enter some. After which, I get the following error unable to find 'distinguished_name' in config problems making Certificate Request 28979:error:0E06D06A:configuration file routines:NCONF_get_string:no conf or environment variable:conf_lib.c:324: Please note that I had copied the openssl.cnf to the same directory that of CA.pl but didn't modify any of the contents of openssl.cnf. - rsr. Namaste, R S Chandrasekhar [EMAIL PROTECTED] ISD : 091-080-2051166 Telnet : 847-1166 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
